Hackers hit S.C. tax agency, get data from 3.6m returns

Share via e-mail

CHARLESTON, S.C. — About 3.6 million tax returns from as far back as 1998 were hacked in South Carolina and specialists said Wednesday it may be the largest cyberattack against a state tax department in the nation’s history.

State and federal officials are investigating the hacking they say may have started in August and was discovered last month. They say the vulnerability in the system has been fixed. The 3.6 million tax returns filed since 1998 included millions of Social Security numbers and about 387,000 credit and debit card numbers that were also exposed, 6,000 of those unencrypted. Tax information from businesses across the state may also have been accessed.

‘‘I believe it might actually be the largest against a state government, but certainly of a state tax department,’’ said Paul Stephens of the Privacy Rights Clearinghouse based in San Diego.

‘‘We’ve never heard of anything like this so I think you can say that,’’ agreed Verenda Smith, the deputy director of the National Federation of Tax Administrators in Washington.

On Wednesday, a former state senator filed a lawsuit against the state Department of Revenue and the governor accusing them of failing to protect taxpayers. Attorney John Hawkins is seeking class-action status hoping to represent all taxpayers whose data were compromised.

He says the state should have taken cost-effective steps to protect information and notified the public sooner.

There have been bigger security breaches that could lead to identity theft.

Private information for as many as 76 million veterans may have been compromised when a defective hard drive from the Department of Veterans Affairs was sent for recycling with the information on it. The largest case of credit and debit card data theft in the nation occurred when a hacker swiped information on 130 million accounts.

One of the issues swirling around the South Carolina hacking is whether the information should have been encrypted.

‘‘The question is wrong,’’ said Smith, whose agency provides services and training to state tax officials and agencies. ‘‘It’s not as simple as do you encrypt Social Security numbers. Everybody encrypts. It’s just a question of what stage it is and where it is’’ when it was snatched by a hacker.